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Improved key management is provided by a public key replacement apparatus and method for operating over insecure networks. An 
active public key and an encrypted replacement public key are provided by a key server to nodes where the active key is used to encrypt 
and verify messages. To replace the active public key with the replacement public key. a key replacement message is sent to the node. 
The key replacement message contains the key for decrypting the replacement public key and contains an encrypted next replacement key. 
The key replacement message is signed by the active public key and the replacement public key. Nodes are implemented by a computer, 
a smart card, a stored data card in combination with a publicly accessible node machine, or other apparatus for sending and/or receiving 
messages. In a particular application, a financial transaction network, nodes are consumer nodes, merchant nodes, or both, and transactions 
are securely sent over a possible insecure network. 
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KEY REPLACEMENT IN A PUBLIC KEY CRYPTOSYSTEM 

COPYRIGHT NOTICE 

A portion of the disclosure of this patent document contains 
material which is subject to copyright protection. The copyright owner 
5 has no objection to the xerographic reproduction by anyone of the 
patent document or the patent disclosure in exactly the form it appears 
in the Patent and Trademark Office patent file or records, but 
otherwise reserves all copyrights whatsoever. 

FIELD OF THE INVENTION 

10 The present invention relates to the field of secure transaction 

processing, more specifically to the field of public key encryption of 
transaction data. 

BACKGROUND ART 

A cryptographic system is a system for sending a message from a 
15 sender to a receiver over a medium so that the message is "secure", 
that is, so that only the intended receiver can recover the message. A 
cryptographic system converts a message^ referred to as "plaintext" 
into an encrypted format, known as "ciphertext." The encryption is 
accomplished by manipulating or transforming the message using a 
20 "cipher key" or keys. The receiver "decrsT^ts" the message, that is, 
converts it from ciphertext to plaintext, by reversing the manipulation 
or transformation process using the cipher key or keys. So long as only 
the sender and receiver have knowledge of the cipher key, such an 
encrypted transmission is secure. 

25 A "classical" crsrptosystem is a cryptosystem in which the 

enciphering information can be used to determine the deciphering 
information. To provide security, a classical cr3i)tosystem requires that 
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the enciphering key be kept secret and provided to users of the system 
over secure channels. Secure channels, such as secret couriers, secure 
telephone transmission lines, or the like, are often impractical and 
expensive. 

5 A system that eliminates the difficulties of exchanging a secure 

enciphering key is known as "public key encryption." U.S. Patent no. 
4,405,829 and Diffie and Hellman, "New Directions in Cryptography," 
IEEE Trans. Inform. Theory, vol. IT-22, pp. 644-654, Nov. 1976, teach 
public key encryption. With public key encryption, two keys are used, a 

10 private key and a public key. The keys are symmetrical, i.e., either key 
can be the public key or the private key - the labels ''public'' and 
"private" simply identify which key is made available to the public, and 
which key is kept private by the "owner" of the key pair. Public key 
encrjrption is applied to a "message". A message is text, graphics, data, 

15 or other digitized information, and public key encryption is used to 
either encr3T3t the message making it unreadable by anyone unless 
they have the private key or to create a readable message with a 
digital signature. A digital signature is created for a specific message 
using the private key. Only a person with knowledge of the private key 

20 is able to create a valid digital signature for a given message, so this 
prevents others from generating or altering messages and creating 
forged signatures. 

To keep a message to the key owner private, the sender of the 
message will obtain the recipient's public key and use that key to 
25 encrypt the message. Before encryption, the message is said to be a 
"plain text" message (although the message might not be text at all) 
and following encryption, the message is said to be a "cipher text" 
message. The cipher text message can only be converted back to the 

2 
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original plain text message by a deciyptor knowing the recipient's 
private key (the other key in the recipient's key pair). Of course, with 
enough computing power and a poorly chosen encryption scheme or key 
pair, a decryptor might be able to extract the plain text message 
5 without knowing the key. It is assumed here that a robust encryption 
scheme is selected such that the private key is indeed reqmred. 

A message is digitally "signed" by the key owner by applying a 
key and the message to a digital authenticator, which outputs a digital 
signature to be attached to the message .xxThe recipient of the message 

10 can then apply the message, the digital signature and the key used to 
generate the signature to an authenticator which will indicate whether 
or not the digital signature was generated from that exact message 
and the key. With public key signatiures» the private key is used to 
generate the digital signature and the public key is used to verify the 

15 signature. 

In a transaction processing system, such as with the use of 
smart cards or terminals, a transaction is formed into a message and 
encrypted using the secret key of the operator of the transaction 
processing system. The term "smart card" refers to a card such as a 

20 bankcard which contains data storage and computing ability, as 
opposed to a more conventional card, which contains only data storage, 
typically in the form of data stored on a magnetic stripe. A terminal 
might be an automatic teller machine (ATM), a terminal in a bank, a 
home personal computer, or other means for a user to send and receive 

25 data. 

U.S. Patent no. 4,972,472 issued to Brown et al. shows a method 

and apparatus for changing a master key in a cryptographic system. 

That system provides storage locations for three keys: a pending key, 

3 
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an active key and a retired key, When a key is to be replaced, the new 
key is stored in pending key location. When a key update command is 
given, the existing active key is shifted to the retired key location and 
the pending key is shifted into the active key location. The retired key 
5 is used for applications which have not yet been made aware of the key 
change. Over time, applications are made aware of the change and 
shift over from using the retired key to using the active key. 

One disadvantage of the Brown et al. system is that a 
replacement key could be sent by someone with unauthorized access to 
10 the channel used to transmit the keys. Thus, the key replacement 
apparatus is only useful where the channel in which the replacement 
keys are sent out is secure. 

As should be apparent, anyone knowing the key owner's secret 
key can pose as the key owner, read the key owner's messages and 

15 create or alter messages sent in the name of the key owner. In an 
insecure system, unauthorized persons have the ability to view the 
traffic between the key server and the key users, whether or not such 
eavesdroppers know the secret keys being used. Once a secret key is 
compromised, it can no longer serve its purposes of making messages 

20 private. 

One problem with a distributed system of smart cards or 
terminals is that they are widely distributed and when a secret key is 
compromised, it is impractical for all the holders of the smart cards or 
users of terminals to return to the central key authority to exchange 
25 keys or otherwise establish a clear channel to transmit the 
replacement key. 

4 
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Another problem is the rapid and continual increase in 
computing power available. The impending obsolescence of DES (Data 
Encrjrption Standard - a secret key algorithm) is in part due to the 
subsequent developments in computing. At one time, a noted 
5 cryptologist calculated that a message encoded with DES could be 
decrypted without knowing the secret key in a month using $20 million 
in computer hardware. Recently, a group of noted cryptographers 
estimated that a $10 million investment in hardware would recover a 
DES key in 6 minutes (see "Minimal Key Liengths for Symmetric 
10 Ciphers to Provide Adequate Commercial Security" Blaze et al., A 
Report by an Ad Hoc Group of Cryptographers and Computer 
Scientists, January 1996). Thus, what is needed is a capability to 
increase security of keys as large amounts of raw computing power 
becomes more accessible to potential attackers. 

SUMMARY OF THE INVENTION 

Improved key management is provided by virtue of the present 
invention. In one embodiment, an active pubUc key and an encrypted 
replacement pubhc key are provided by a key server to nodes of the 
network. Each time a key replacement is performed, the active public 
key is discarded, the replacement public key replaces the active public 
key, and the next replacement pubUc key replaces the replacement 
public key. Thus, two public keys are recognizable at a node at any one 
time. These keys are network- wide keys and are used in addition to 
any node-specific key pairs. 

25 Each node includes a system for sending and receiving messages 

to and from the network, such as a networked personal computer, a 
smart card, or a data card combined with a public terminal. Initially, 
each node is provided with the active public key and the replacement 

5 
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public key, along with any default node "owned" key pairs. The 
network-wide public keys have corresponding private keys which are 
owned by the operator of the network. The initial keying of the node is 
done over a secure channel between the node and the network 
5 operator. While other secure channels are possible, the simplest 
method is for the network operator to maintain control over some 
element of the node diiring the process of installing the initial public 
key information. 

A node uses the active public key (the network active public key) 
10 to encr5Tf)t or sign messages destined for the key server or a third 
party. When the active private key has been compromised or is at risk 
of calculation, the key server sends out a key replacement message 
containing the replacement key and the encr3i>ted next replacement 
key, replaces the active private key from the replacement private key 
15 storage and places the encrjrpted next replacement private key into the 
replacement private key storage. As should be apparent, according to 
this chain of succession, each new key (public or private) is first a next 
replacement key, then a replacement key, then an active key, then 
finally it is discarded. At the node, the active public key is replaced 
20 with the replacement public key and the replacement pubUc key is 
replaced with the the next replacement pubhc key. 

The key replacement message also contains the key for 
decrypting the replacement public key and the message is signed by 
the active private key and the replacement private key. Because the 
25 message is signed by the replacement private key, it could only come 
from an entity with knowledge of the replacement private key before 
the message was sent. The decryption used on the encrj^sted next 

6 
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replacement key need not be the same as that used on the encrypted 
replacement key. 

If brute force computation of the active public/private key pair 
becomes feasible, that pair is deemed compromised, and the key 
5 replacement process is performed. Because the replacement public key 
is only available to an attacker in encrs^pted form, increasing 
computing power does not weaken the encrypted replacement public 
key as fast as the active public key, since many more operations are 
needed to decrypt the replacement public key and to then reverse 

10 engineer the replacement public key, compared to just reverse 
engineering the active public key. Thus, encryption of the replacement 
public key until it is needed at the active public key helps ensure that 
the replacement key cannot be computationally determined with the 
same order of magnitude of computing power required to 

15 computationally determine the active public key. 

In a specific embodiment, multiple nodes of an insecure network 
are defined by the interconnected computers (personal computers, 
workstations, etc.) configured with the ability to send messages from 
one node to another or from one node to many nodes. At each node, 

20 memory is maintained with the active public key, the encrs^jted 
replacement pubhc key, and the node's specific private/public key pair. 
Typically, a node is associated with one user, such as an individual 
using the node to send messages to other users at other nodes. For 
example, a node could be a personal computer connected to the 

25 Internet and the messages could be financial transactions transmitted 
by the user to banks and/or merchants. 

In an alternate specific embodiment, the key user uses a smart 

card to store the active public key and the encrs^pted replacement 

7 
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public key, the key server is a financial institution and the message 
sent between the key user and the key server are financial 
transactions. In yet another embodiment, user specific data is stored 
on a card held by the user and the card is inserted or read by a publicly 
5 available terminal to form the node system. 

In other embodiments, a node maintains multiple sets of active 
and replacement public keys, one from each of a plurality of master 
nodes. This allows for independent secure communications with 
different master nodes. 

10 A further understanding of the nature and advantages of the 

inventions herein may be reaUzed by reference to the remaining 
portions of the specifications and the attached drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 is a block diagram of a network in which the present 
15 invention is used; 

Figure 2 is a flow chart of a process of replacing a key in a 
secure manner; 

Figure 3 is a block diagram of a specific application wherein the 
network is used to carry secure traffic between consumers and 
20 merchants; and 

Figure 4 is a schematic diagram of a portion of a key 
replacement message. 



8 
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DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

A system for key replacement in a public key cryptography 

system using enciyption is described. In the following description 

5 numerous specific details, such as key length, encrs^ption algorithm, 

etc., are set forth in detail in order to provide a more thorough 

description of the present invention. It will be apparent, however, to 

one skilled in the art, that the present invention may be practiced 

without these specific details. In other instances, well known features 

10 have not been described in detail so as not to unnecessarily obscure the 

present invention. 

Figure 1 is a block diagram of a network 10 which connects two 
nodes 12 (user node 1 and user node 2) to each other and to a key 
server 16. Although only two nodes are shown for clarity, it should be 
15 apparent that many more nodes are possible. As should also be 
apparent, network 10 need not be actually insecure, but is assumed to 
be so. An insecure network is a network where the possibility exists 
that an eavesdropper 18 is listening to network tra£&c. 

Each node 12 is shown coupled to its own data key storage 20. 

20 User node 1 is shown with a message block 22 containing a message 
intended for delivery over network 10 to user node 2. Data key storage 
20 contains storage for the active public key, the encrs^ted 
replacement public key and the user node's private/public key pair. 
Typically, the nodes are associated with individuals and organizations 

25 who are network users and operate and control their respective nodes, 
to send messages as desired, read received messages^ change the user 
node key pair and publish the user node public key. 
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The following notation is used herein: "A" refers to the active 
key pair, with "Apu" being the active public key and "Apr" being the 
active private key. Likewise, the replacement key pair is "R", with 
"Rpu" being the replacement public key" and "Rpr" being the 
5 replacement private key. Encryption of a message M using a key K is 
written as E_K(M), while decr3T)tion of the encrypted message E_K(M) 
using key K is written as D_K(E_K(M)). This notation refers to both 
secret key encryption and pubhc key encryption, although when 
referring only to public key encrsTption, the more specific notation 
10 E_Kpu(M) and D_Kpr (M) is used to clearly indicate the different 
components of the key or key pairs are used for encrjrption and 
decryption. The functions E_KO and D_KO need not be distinct. For 
example, where encryption is the exclusive ORlng of the message and 
the key, E„KO and D_KO are the same functions. 

15 The user key pair is denoted by "U", with the pubUc and private 

keys being "Upu" and "Upr*' respectively. A user key pair is 
distinguished from the active key pair and the replacement key pair in 
that the latter two pairs are used system wide, while a user key pair is 
generated and maintained by the user of a specific node. 

20 Often, to ensure that the contents of a message have not been 

altered and to verify the node from which a message was sent, the 
message is "digitally signed". To digitally sign a message, a node 
generates a digital signature block from the message contents and the 
node's private key as is known in the art. The digital signature block is 

25 then attached to the message. Because of the way the digital signature 
block is generated, it would be extremely difficult to determine a 
digital signature block for a message without knowing the private key 
used, and the digital signature blocks for the original message and an 

10 
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altered version of that message are unlikely to be the same. In a digital 
signature system, the recipient can apply the message, the digital 
signature block and the sender's public key to a signature verifier- The 
signature verifier reports whether or not that message was the exact 
5 message used to generate the digital signature. Herein, a message with 
a digital signature is denoted as (M) [K], where M is the message and 
[K] is the digital signature generated for message M using key K. 

In the example described below, only one master node is used 
and the operator of that node controls key server 16 and thus controls, 
10 or "owns*', the active public/private key pair and the replacement 
public/private key pair. Thus, the operator of key server 16 knows, and 
keeps secret, the active private key and the replacement private key. 
In some systems, the active and replacement key pairs are referred to 
as "system key pairs" to distinguish them from user key pairs. 

15 In Figure 1, key server 16 is shown coupled to a key server 

public key database 24 for holding the public keys of each participating 
node. Key server 16 is also shown coupled to receive "replace key" 
commands from a central public key controller 26, which is in turn 
coupled to storage 28 for the active private key (Apr) and storage 30 for 

20 the replacement private key (Rpr). Key server 16 sends messages, such 
as message 40 and key replacement message 42 to nodes 12 over 
network 10. In a preferred embodiment, storage 28 and storage 30 are 
not located in the same physical location or secured by a common 
security method, so that a single breach of security which allows access 

25 to one key will not allow access to the other key. 

It is assumed that eavesdropper 18 has the capability to send 

messages which appear to be sent by a node other than itself, such as 

node 12 or key server 16. With this capability, eavesdropper 18 might 

11 
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send a key replacement message to user node 1 falsely indicating that 
the message was sent by key server 16- This forged message would 
instruct user node 1 to update Apu to a value provided (apparently) by 
key server 16, If eavesdropper 18 sends a false Apu value which is 
5 paired with a private key known to eavesdropper 18, and if user node 1 
accepts the message as authentic and changes Apu, eavesdropper 18 
will be able to decrypt all subsequent messages encrypted with the 
false Apu. Eavesdropper 18 could also send key server 16 a message 
apparently from user node 1 where the message indicates that user 
10 node 1 has changed its user public key, Ulpu, to a public key which is 
paired with a private key known by eavesdropper 18. If accepted by 
key server 16, eavesdropper 18 would then be able to decrypt any 
messages from key server 16 which are encrypted with Ulpu. 

In operation, of course, user nodes 12 and key server 16 are 
15 more cautious. To securely send a message from one node to another, 
the sender must obtain the recipient's real public key and use that key 
to encrypt the message. To know the real key for the recipient, the 
sender must have some way of assuring that the public key for the 
recipient is correct. The public keys for specific nodes are obtained by 
20 querying key server 16, which supplies the public keys from node key 
database 24. These public keys are the keys published by the user 
nodes. 

Since network 10 is deemed insecure, it is assumed that if user 
node 1 requests a public key from user node 2, eavesdropper 18 could 
25 stand in place of user node 2, -ntercept the request, reply with a key 
known to eavesdropper 18, ii. percept the message and decrypt the 
message. To prevent this scenario, the user nodes supply their pubUc 
keys to key server 16 using a message which could not have been sent 
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from eavesdropper 18 and which is not readable by eavesdropper 18. 
To do this, key server 16 needs to engage in one initial secure 
interaction with each node, to get the node's public key and be assured 
that it was sent from that node. Fortunately, this is easily done during 
5 the set-up of a node. For example, if the node is a personal computer, a 
distribution diskette could contain an initial user key pair or the key 
pair could be distributed over the telephone. If each message from a 
node to key server 16 is digitally signed with the node's private key, 
key server 16 is assured that it was not sent by eavesdropper 18. If the 

10 message is also encrjrpted with the active pubhc key, eavesdropper 18 
cannot read the message. If one user compromises the private key of its 
node, the security breach is confined to that user's node and is easily 
remedied by sending a new key over a secure channel to that node 
(e.g., sending a new smart card to the user of the node). However, if the 

15 active public key is compromised, without more, each node in the 
entire system would have to be reinitialized with the replacement 
public key over secure channels. The secure channel is not needed with 
the present invention where only the active key is compromised, 
whether it be by authorized access to storage 28 or by computational 

20 brute force. 

Key server 16 accepts key replacement commands from central 
public key controller 26, which decides when to replace the active 
public key, Apu. Central pubhc key controller 26 generates a new 
replacement key pair each time the active key is to be replaced with 
25 the existing replacement key, and updates storage 28 and 30 
accordingly. Herein the new key pair is referred to as (Rlpu, Rlpr), 
and subsequently generated new pairs are (R2pu, R2pr), (R3pu, RSpr), 
etc. The process of secure replacement of the public key over an 
insecure network is shown in Figure 2. 

13 
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Figure 2 is a flow chart of a process for publishing a public key 
and for replacing a public key when its paired private key is 
compromised or insufGciently secure. In the example shown, the public 
key being replaced is Apu, the active public key of key server 16. The 
5 active public key might not be actually compromised, as key 
replacement might be called for as technology advances to the point 
where it is conceivable that Apu could be calculated by brute force, in 
which case the replacement key would be a longer or more complex 
key. Alternatively, key replacement could occiu* on a regular, periodic 
10 basis, since a secure channel is not needed. The process of key 
replacement must occur both at key server 16 and at nodes 12, since 
keys are paired. Thus, when the private key is replaced in storage 28, 
that replaced key cannot be used unless the public key stored in data 
storage 20 is also replaced. 

Referring again to Figure 2, the steps of the process shown there 
are labeled SI, S2, S3, etc., for ease of reference. In step Si, Apu and 
E_X(Rpu) are supplied initially to each node over a secure channel. As 
explained above, this step need only be done once. The key replacement 
process begins with step S2, where a new key pair (Rlpu, Rlpr) is 
generated). This is done by either key server 16 or central pubhc key 
controller 26. In step S3, key server 16 sends a key replacement 
message (such as key replacement message 42 shown in Figure 1 and 
in detail in Figure 4) to each node 12, or broadcasts a single key 
replacement message. A number of fields of key replacement message 
42 are shown in Figure 4. These fields include the next replacement 
public key, data necessary to decode the replaceir t public key, and 
digital signatures for the message. 



14 
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The entire key replacement message is digitally signed by both 
the active private key, Apr, and the private replacement key, Rpr. 
Additionally, the message might be encrypted using the active public 
key, Apu. However, given that Apu might have been compromised, a 
5 more secure method is to send separate messages to each node, each 
encrypted with the node's public key. If the key replacement message 
is encrypted , it is decrypted by the node. 

Figure 4 shows key replacement message 42 in greater detail. 
This message 42 is sent from key server 16 to node 12 as part of the 
10 key replacement process. The fields shown are X, D_XO, E_Xl(Rlpu), 
SIG (Apr) and SIG(Rpr). 

The key replacement process has the following steps: 1) a new 
key pair is generated by central public key controller 26, 2) central 
public key controller 26 moves the existing replacement private key 

15 from storage 30 to storage 28, making it the new active private key, 3) 
central pubUc key controller 26 moves the next replacement private 
key to storage 30, making it the new replacement private key, 4) 
central public key controller 26 sends a key replacement command to 
key server 16, where the key replacement command includes the new 

20 public key from the next replacement key pair, and 5) the next 
replacement public key is inserted into message 42 as field 
E_Xl(Rlpu). This example is for the first generation of key 
replacement. In the second generation, the field is designated 
E_X2(R2pu}, to be consistent with the conventions used here. Because 

25 the keys are paired, these steps must be done together, otherwise 
messages might be encrypted with one generation of keys and 
decryption would be attempted with a different generation of keys. 
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The field X contains the decryption key for E_X(Rpu), the 
encrypted replacement key which resides at the node to which message 
42 is sent. The field D_XO contains the decr3n3tion method for 
E_X(Rpu). In some embodiments, D_XO is known ahead of time as the 
5 user node, so this field is not needed. This field contains, depending on 
implementation, parameters and/or program instructions for the 
decoding process. With the X and D^XQ fields, the node can decrypt the 
replacement public key. 

The field E__Xl(Rlpu) is generated by encrypting the next 
10 replacement public key, now designated Rlpu, according to the 
encrsrption function E_X10- The encr3rption of Rlpu can be performed 
either by central public key controller 26 of key server 16, 

The fields SIG(Apr) and SIG(Rpr) are digital signatures, also 
sometimes referred to as [Apr] and [Rpr], respectively. The digital 
signature SIG(Apr) is a signature of message 42 using the currently 
active private key, i.e., the contents of storage 28 before the 
replacement is done. This digital signature is verified by applying 
message 42 and the other key which is paired with the signing key 
Apr, namely active public key Apu, to a verifier. Similarly, the digital 
signature SIG(Rpr) is verified by applying message 42 and the 
replacement public key, Rpu, to the verifier. Of course, the replacement 
public key, Rpu, must be decrypted before it can be applied to the 
verifier. 

If both digital signatures verify m -^age 42, the node replaces 

25 E_X(Rpu) wit E_Xl(Rlpu) and replaces m with Rpu. In this way, 

the active public key stored in storage j.O is replaced with the 

replacement public key, which was also stored in storage 20, and the 

replacement replacement pubhc key extracted firom message 42 is 
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Stored in storage 20 as the replacement public key. Of course the next 
replacement pubhc key is encrypted and stored in its encrypted form, 
until the next generation when it is needed as the active pubhc key. 

Referring again to Figure 2, in step S4, the digital signature 
5 [Apr] is verified using Apu. If the digital signature does not match the 
message and the active pubUc key (Apu)» then the key replacement 
message is ignored (S6). In some embodiments, the node will send a 
message to key server 16 to the effect that an unauthorized key 
replacement message has apparently been sent. 

10 If the digital signature [Apr] is verified, the replacement pubUc 

key, Rpu, is extracted from the key replacement message (S6), using 
the key and decryption method provided by the key replacement 
message. 

Once the replacement pubhc key, Rpu, is decrypted, it can be 
used to verify the digital signature [Rpr] of the key replacement 
message (S7). If the digital signature [Rpr] does not verify, the process 
flows to step S5, otherwise it continues to step S8. In step S8, the node 
replaces Apu in storage 20 with the replacement public key, Rpu and 
replaces E_X(Rpu) in storage 20 with the encrypted next replacement 
pubhc key, E.Xl(Rlpu) (S9). 

At this point, key replacement is complete. If desired, the 
process can be repeated (SIO) so that yet another new key pair (R2pu, 
R2pr) is generated, where R2pu becomes the replacement key with 
Rlpu being the active key. Performing the process twice is useful 
where both the active key and the replacement key are nearing 
obsolescence. If the replacement key is only ever generally available in 
encrypted form, any computation to break the keys will take longer to 
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break the replacement key than the active key, since the encrsrption on 
the replacement public key must first be broken before the 
replacement private key can be attacked. 

If the replacement private key is physically compromised, but 
5 the active private key is not, this method will still securely transmit 
the key replacement message over the insecure network, since it is 
signed by the active private key. Of course, in this situation, the key 
replacement would be done twice in quick succession, in order to retire 
the compromised replacement key. 

10 Figure 3 shows a specific application of the key replacement 

system, a financial transaction system 100. Several elements of Figixre 
1 are shown again in Figure 3: network 10, eavesdropper 18, node 
public key database 24, central public key controller 26, and storage 28 
and 30. System 100 is used to facilitate a secure transaction, such as a 

15 credit or debit card transaction between a consumer at a consumer 
node 102 and a merchant at a merchant node 104 via network 10. 
Consumer node 102 is implemented as a personal computer, a smart 
card, or a publicly accessible terminal. If consumer node 102 is a 
publicly accessible terminal, such as an ATM, kiosk or point-of-sale 

20 (POS) terminal, data personal to the consumer would be stored 
separately (labeled "personal storage 110" in the figure), and would 
include key storage 106 similar to key storage 20 shown in Figure 1 
and a financial database 108, each coupled to consumer node 102. Key 
storage 106 coupled to the consumer node 102 stores the central public 

25 keys and the consumer's keys, pubHc and private, as well as other 
consumer specific data. Merchant node 104 also is coupled to its own 
key storage 106, which stores the central pubUc keys and merchant 
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keys. If a node 12 is both a consumer and a merchant node, it might 
use the same keys for both buying and selling transactions. 

A key server 112 is coupled to network 10 and central pubUc 
controller 26. Key server 112 serves the same purpose as key server 16 
5 of Figure 1, as well as an additional purpose of being an authorization 
server which uses secure links to a financial network to secure 
authorization and/or funds for transactions entered into by a consumer 
at consumer node 102. 

A transaction is shown in Figure 3 by paths numbered 1 through 
10 5. A consumer initiates the transaction. For example, a consumer 
might browse publicly available files of offerings of a merchant, such as 
World Wide Web pages on the Internet and decide to order a product. 
To pay for the product, the consumer sends a secure message to the 
merchant. To do this, consumer node 102 sends a public key request 
15 message to key server 112 (path 1). Key server then responds with a 
public key value message back to consumer node 102 indicating the 
public key for merchant node 104 (path 2). These two messages are 
sent secured by the methods described above. The message to key 
server 112 and its response are encrypted and/or signed using the 
20 public and private keys of key server 112, so those keys must be kept 
especially secure. 

The consmner node 102 then sends the transaction data to 

merchant node 104 in a message encrypted with the public key for 

merchant nod 104 and signed by the private key for consumer node 

25 102. For example, the message might say "charge item #123, quantity 

1, to card number 47##-####-####-####, expiration date mm/yy". This 

message is decrj^table only by the merchant node, since the merchant 

node private key is required for decryption. Merchant node 104 uses 
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this information to process the payment over the secure financial 
network.xxThe merchant can verify the signature on the transaction 
using the consumer's public key, which can be obtained from key 
server 112, 

5 Before submitting the payment over the financial network, 

merchant node 104 can check card authorization either through the 
financial network or through key server 112 (via path 4), which would 
then check for authorization and secure funds. Key server 112 then 
(path 5) securely reports the results of the authorization to consumer 
10 node 102 as well as merchant node 104. 

As should be apparent, the above-described method and 
apparatus might also be used to perform bill payment or the secure 
network might be entirely replaced by network 10, in which case issuer 
banks (who issue credit, debit or bank cards to consumers), acquirer 
banks (who acqiiire transactions from merchants), and settlement 
systems could be nodes on network 10. Bill payment might be 
performed as taught by U. S. Patent No. 5,465,206 (Appl. Serial No.: 
08/146, 515), issued to Hilt, et al. on November 7, 1995 and commonly 
owned with the present application. That patent is incorporated by 
reference herein. 

In summary, the above detailed description has described a 
method and apparatus for securely distributing keys over an insecure 
network fi-om a central source, to allow secure communications 
between nodes and a key server and from nodes to nodes, even where 
25 each node has no means to verify the identity of any other node except 
the key server. The keys that are distributed are the network public 
keys, 
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The above description is illustrative and not restrictive. Many 
variations of the invention will become apparent to those of skill in the 
art upon review of this disclosure. Merely by way of example, the 
apparatus might be implemented wholly in general purpose computers 
5 suitably programmed or could be implemented by special purpose 
hardware or integrated circuitry. Also, the above description shows the 
application of key replacement to the public key of a network, i.e., the 
master node's public key. However, the same key replacement methods 
and apparatus could also be used for more secure replacement of user 
10 node keys. In such a system, the key server would maintain user public 
keys and replacement user public keys. 

The scope of the invention shoidd, therefore, be determined not 
with reference to the above description, but instead should be 
determined with reference to the appended claims along with their full 
15 scope of equivalents. 
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WHAT IS CLAIMED IS: 

1, A method of secure key replacement in a public key 
cryptography system, wherein secure messages are transmitted from a 
first node to a second node over a network presimied to be insecure, the 
5 method comprising the steps of: 

generating , at the first node, an active key pair comprising an 
active private key and an active public key, wherein the active key pair 
is used to secure messages between the first and second nodes 
according to a public key scheme; 

10 generating, at the first node, a replacement key pair comprising 

a replacement private key and a replacement public key; 

encrypting , at the first node, the replacement public key to form 
a encrjTJted replacement public key; 

sending the active pubUc key and the encrypted replacement 
15 pubhc key firom the first node to the second node over a secure channel; 

when the active key pair is to be retired, performing the steps of: 

generating, at the first node, the next replacement key pair 
comprising the next replacement private key and the next replacement 
public key; 

20 encrypting , at the first node, the next replacement pubUc key to 

form an encr3T)ted next replacement public key; 

sending the encrypted next replacement public key from the first 
node to the second node over the network; and 
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decrjrpting , at the second node, the encrypted replacement 
public key; and 

thereafter using the replacement key pair as the active key pair, 
for use in securing messages between the first and second nodes, and 
5 thereafter using the next replacement key pair in place of the 
replacement key pair, which is stored for use in a subsequent key pair 
retiring step. 

2. The method of claim 1, wherein the process of retiring the active 
key pair further comprises the steps of: 

10 sending, from the first node to the second node, a decryption key 

for decrjrpting the encrj^ted replacement public key; and 

sending, from the first node to the second node, digital 
signatures for providing to the second node that the active private key 
and the replacement private key were known to the initiator of the 
15 process for retiring the active key pair. 

3. The method of claim 1, further comprising the step of sending a 
message from the first node to the second node, wherein the message is 
digitaUy signed using either the active private key or the replacement 
private key or both. 

20 4. The method of claim 1, further comprising the step of sending a 
message from the second node to the first node, wherein the message is 
encrypted using either the active public key or the replacement public 
key or both. 

5. The method of claim 1, wherein replacement of the 
25 encrypted replacement public key with the encrypted next replacement 
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public key is performed at the second node and is performed 
synchronously with the replacement of the active private key with the 
replacement private key and the replacement of the replacement 
private key with the next replacement private key at the first node. 

5 6. The method of claim 1, wherein the first node is a key server 
node and the second node is one of a plurality of user nodes. 

7. The method of claim 1, wherein the first node is one of a 
plurality of user nodes and the second node is a key server node. 

8. The method of claim 1, wherein the network connects a plurality 
10 of nodes to each other, the plurality of nodes comprising a plurality of 

key server nodes and a pluraUty of user nodes. 

9. The method of claim 1, further comprising the step of repeating 
the step of retiring a key pair. 

10. A method of secure key replacement in a public key 
15 cryptography system, wherein a first node stores an active private key 

and a second node stores an active public key and a replacement public 
key, the active public key and the active private key being an active 
key pair used for public key cryptography and the replacement pubUc 
key and the replacement private key being a replacement key pair, and 
20 wherein the replacement public key is stored as an encrypted 
replacement public key at the second node, the method comprising the 
steps of: 

generating, at the first node, a next replacement key pair 
comprising a next replacement private key and a next replacement 
25 public key; 
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encrsrpting , at the first node» the next replacement public key to 
form an encrypted next replacement public key; 

sending the next replacement public key from the first node to 
the second node; 

5 decrypting , at the second node, the encrsrpted next replacement 

public key; and 

thereafter using the replacement key pair as the active key pair, 
for use in securing messages between the first and second nodes, and 
thereafter using the next replacement key pair in place of the 
10 replacement key pair, which is stored for use in the subsequent key 
pair retiring step. 

11. The method of claim 10, wherein the step of sending the next 
replacement public key from the first node to the second node is 
performed over a network presumed to be secure. 

15 12. A method of secure key replacement in a pubhc key 
crjqitography system, wherein secure messages are transmitted firom a 
first node to a second node over a network presumed to be insecure, the 
method comprising the steps of: 

generating, at the first node, an active key pair comprising an 
20 active private key and an active public key, wherein the active key pair 
is used to secure messages between the first and second nodes 
according to a public key scheme; 

generating, at the first node, a replacement key pair comprising 
a replacement private key and a replacement public key; 
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sending the active public key and the replacement public key 
from the first node to the second node over a secure channel; 

when the active key pair is to be retired, performing the steps of: 

generating, at the first node, a next replacement key pair 
5 comprising a next replacement private key and a next replacement 
public key; and 

sending the next replacement public key from the first node to 
the second node over the network; and 

thereafter using the replacement key pair as the active key pair, 
10 for use in securing messages between the first and second nodes, and 
thereafter using the next replacement key pair in place of the 
replacement key pair, which is stored for use in a subsequent key pair 
retiring step. 

13. A public key cr5T)tography apparatus for secure communications 
15 over an untrusted network between a key server node and a user node, 
comprising: 

user data storage, coupled to the user node of the untrusted 
network, for storing an active public key and a replacement public key; 

key server data storage, coupled to the key server node, for 
20 storing an active private key and a replacement private key, wherein 
the active private key and the active public key are a key pair and the 
replacement private key and the replacement public key are a key pair; 
and 

means for transmitting a key replacement message from the key 
25 server node to the user node, the key replacement message comprising 
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a next replacement public key and a digital signature proving 
knowledge by the key server node of both of the active private key and 
the replacement private key. 
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